Cybersecurity in the Power Grid ­ A 360° View | Part 4

Welcome to the 4th episode of our Energy Talks miniseries, called Cybersecurity in the Power Grid, in which we provide you with a 360-degree view of how power grids can best safeguard their infrastructures from cyber attacks.

In Part 4 of our cybersecurity miniseries, Anastasiya Shvetsova, OMICRON software quality assurance engineer, and Jaques Grobler, who is a full-stack developer at OMICRON, share their experiences, challenges, and innovations in developing our cross-cutting-edge cybersecurity products.

Learn about their personal journeys and what inspired them to become cybersecurity developers in the fields of quality assurance and full-stack development. Discover how they stay current with state-of-the-art practices to develop innovative solutions while ensuring the excellence and quality of the products.

From their daily challenges to their proudest successes and learnings, Anastasiya and Jaques offer valuable insights into their collaboration with other teams and the importance of their work in enhancing cybersecurity.

Stay tuned for upcoming episodes in our Cybersecurity in the Power Grid miniseries.

Listen to the podcast episode

Scott Williams, Host [00:00:07] Welcome to Energy Talks, a regular podcast series with expert discussions on topics related to power system testing, data management, and cybersecurity in the power industry. My name is Scott Williams from the podcast team at OMICRON and I will be your host. 

Hello everyone. Welcome to our special Energy Talks miniseries called Cybersecurity and the Power Grid, in which we provide you with a 360-degree view of how power grids can best safeguard their infrastructures from cyber-attacks. In this fourth episode of our cybersecurity miniseries, we are joined by my guests Anastasiya Shvetsova, who works on software Quality Assurance OMICRON, and Jaques Grobler, who is a full-stack developer at OMICRON. 

They will share their experiences, challenges, and innovations in developing OMICRON cutting-edge cybersecurity products. Learn about their personal journeys and what inspired them to become cybersecurity developers in the fields of quality assurance and full-stack development. Discover how they stay current with state-of-the-art practices to develop innovative solutions while ensuring the excellence and quality of the products. 

From their daily challenges to their proudest successes and learnings, Anastasiya and Jaques provide valuable insights into their collaboration with other teams and the importance of their work in enhancing cybersecurity. 

Anastasiya and Jaques, welcome to this special miniseries episode of Energy Talks about cybersecurity in the power industry. 

Anastasiya Shvetsova, Guest [00:01:47] Hi Scott, thank you for the invitation. 

Jaques Grobler, Guest [00:01:49] Hi Scott, thanks for having me here.

Scott Williams, Host [00:01:51] Thank you for taking the time to talk about navigating challenges and embracing innovations in development. 

Can you introduce yourselves and share what motivated you to become cybersecurity developers in the fields of quality assurance and full-stack development at OMICRON? Is there anything in particular that drew you to this field of work? Anastasiya, can we start with you? 

Anastasiya Shvetsova, Guest [00:02:15] Yeah, sure, Scott. Well, hello again. My name is Anastasiya. I'm from Ukraine. I have been working as a quality assurance engineer for over five years and I entered the IT world straight after graduating from my university. I transitioned to the cybersecurity world in March 2022 by joining OMICRON. For me, it was an excellent opportunity for my professional growth and a personal challenge. I chose a career in QA because it aligns perfectly with who I am. I'm naturally curious, which means I love digging deep into things and figuring out how do they work. Also, I have a knack for spotting mistakes and am not shy about pointing them out, but always in a helpful way. I really enjoy the challenge of applying my curiosity and determination to leave no stone unturned when it comes to finding possible problems and bugs, especially if it is crucial for the project's success. Previously, I worked on a project that helped people to secure their goods. So that was my background. Now I'm helping people to secure their substations. Level up.

Scott Williams, Host [00:03:28] Very good. When you say “level up”, what do you mean by that? 

Anastasiya Shvetsova, Guest [00:03:32] That I leveled up. So, from the small things like securing goods to the bigger things like securing substations.

Scott Williams, Host [00:03:39] Very good. Okay. Good to know. So, Jaques, what motivated you to become a cybersecurity developer? 

Jaques Grobler, Guest [00:03:46] So I started my journey all the way down in sunny South Africa. And I've only been part of the OMICRON team for about, I guess, a year and a half, closing in on two now. I started my academic journey in sort of with a focus on electrical and electronic engineering but gradually found myself drifting more into software. And so over the years, I worked in several fields, starting in energy, but then went to Fintech and a bit of automotive, some hosting, and even AI, and then slowly realized I was back in the energy field here at OMICRON. So, what drew me here is the prospect of working not just with interesting software and technology stacks but also that already comes with its own cybersecurity considerations. On top of that, having an actual cybersecurity solution that involves intrusion detection and monitoring. So that seemed to me like a whole extra layer of intrigue on top of these typical challenges that I've already been exposed to. And I think it really ups the importance of security-mindedness even more. And, you know, one weakness in the application interface could really lead to potentially big problems. So, there's much more to consider and learn from. And I think the challenge there really pulled me in.

Scott Williams, Host [00:05:06] Very good, Jaques. Thank you. What are some of the daily challenges you both face as cybersecurity developers, and how do you overcome them to deliver robust solutions? Anastasiya, let's start with you.

Anastasiya Shvetsova, Guest [00:05:19] Thank you. So, at OMICRON, the most challenging part of my job has been dealing with our complex products and the need to have knowledge in various fields. However, I remain optimistic that things will improve over time. Another thing is that the cybersecurity/cyber threat landscape is continuously evolving. People find new ways to attack computer systems nearly every day. To stay on top of things, IT engineers need to continue learning about the latest risks and how to protect against them. It's like an ongoing puzzle, and I must keep improving to ensure our products are properly tested and secure.

Scott Williams, Host [00:06:01] Anastasiya, thank you so much for that. Jaques, what is your opinion? What are challenges do you face, and how do you overcome them with robust solutions?

Jaques Grobler, Guest [00:06:10] Challenging, but I can add, is trying to find a balance between the other fields and in keeping the cybersecurity mindedness going. It can be tricky to keep that in mind, especially at the planning stages, as there are so many sides to the project that you must consider and keep in your head. And then there are also so many different disciplines working together. For example, if you're collaborating with the user interface or UI and UX experts, it's important to keep security ever present, too, because that can influence the design choices and even call for reworking an approach that can now be user experience-minded and security-minded at the same time. And the same will also apply to trying to design a feature for some application architecture. Are you collaborating with the cybersecurity team? Cybersecurity-related findings and research can heavily influence design choices.

On top of being so security conscious and our design choices, it's also really important to do frequent security maintenance, and that comes with its own challenges because new vulnerabilities can often appear for any number of components for the system you're developing. And yeah, we must stay on top of that, of course, with frequent evaluations of these. For example, if we find some zero-day vulnerabilities without patches or solutions, year two can be quite an interesting head-scratcher trying to figure out how this would affect us, how we would mitigate it, and the potential risks. So, there's a constant need for learning and educating oneself in this field. On top of your actual implementation research, and for that, you must do some studying on your own, maybe some courses, or sometimes, if we're lucky, we get an interesting security workshop from our own cybersecurity experts so that you also might have met in the series already. So yeah, it's definitely a very challenging field. 

Scott Williams, Host [00:08:04] Anastasiya, as a quality assurance engineer, how do you ensure the excellence and reliability of OMICRON’s cybersecurity solutions? Can you highlight the processes and methodologies that you employ? 

Anastasiya Shvetsova, Guest [00:08:17] Yes, sure. So, to ensure security, we follow a systematic approach, SSDLC or Software Secure Development Life Cycle. It involves understanding requirements, learning design activities, and analyzing potential threats. We perform both manual and automated testing using various methods like setting and dynamic analysis, penetration testing for both internal and external, and other things. This thorough testing helps us find vulnerabilities and security issues. We made security testing a part of our development schedule pipelines to catch the problems early. We collaborate closely with development and operation teams to address security finance effectively. We also keep detailed records of test cases and results for transparency and accountability. The results can be used in testing retros to improve our testing processes. Another thing is that we also have cyber security mornings. That's the blocking time when the whole team performs the vulnerability audit of all used components. As quality assurance engineers in the ever-changing world of cyber security, we focus on continuous learning and staying updated with the latest threats and testing techniques to keep our systems safe and reliable.

Scott Williams, Host [00:09:40] Jaques, could you tell us what a vulnerability audit involves? 

Jaques Grobler, Guest [00:09:43] So, as Anastasiya has mentioned, we also add the same process in our team every week, and it's at least four so that we keep it going and always make time for it. We have a chunk of time blocked every Thursday morning where we have rotating roles, kind of like a rotation for the team of, say, two members at a time are assigned to this, and that morning, they'll do some security vulnerability auditing and what that entails basically as we have in our development pipeline speech but some scanning tools integrated into that and any new components that we add to our services, whether it's on the containerization side or anything smaller, lower down a charting library, anything. All these components get scanned. And if there are any known vulnerabilities in this, this quite well kit security vulnerability database is out there that also gets scanned. Similar to what antivirus software used to do back in the day as well. These tools can kind of highlight for you what high-risk, down to low-risk vulnerabilities are for your current services and all the components therein. So, we take some time every week where we kind of just go through this and try and identify any high risks, anything that needs to be urgently fixed if and also importantly, if it actually applies to us. Sometimes, there's a component that's a tendency of the dependency of a dependency that we never actually use. It's just a small little block of code sitting deep down, and it's not really applicable. So yeah, we audit and analyze, and that's quite a big part of every week. Now that helps to keep us, and everyone on the team does it too. So, it's kind of a good way to knowledge and any findings we have, and we also have the other team members look at each other before anything is action so that we're kind of on the pulse there.

Scott Williams, Host [00:11:47] Very good. One last question about that. For a particular component, can its vulnerability change with new threats that come along? 

Jaques Grobler, Guest [00:11:57] Yeah. There's any piece of software that's been up for a while, whether it's been frequently maintained or not, can suddenly get a new vulnerability that some clever, sneaky person out there has discovered. Sometimes it's something that's been sitting on the code for years that no one's just ever thought of trying. And then, you know, you have something that's some protocol that's being used by loads of software all over the Internet, suddenly being vulnerable, and then patches start rolling out immediately. And this is like some mild panic because it's sort of been a race to try and plug that hole before some people start trying to exploit it. And so, for our processes as well. The second that these vulnerabilities get reported, whether it be by security analysts, companies out there, or someone like Microsoft who reports it, the second that information is floating around, it will also come into our pipelines. And unless it reaches us through a different channel, we will immediately start to see if we need to take action, if there's a patch, if there's a workaround, if this was an ever-present thing that can happen. 

Scott Williams, Host [00:13:07] Jaques, as a full-stack developer, how do you contribute to the comprehensive development of cybersecurity solutions? For example, what are the key aspects you consider while building secure software? 

Jaques Grobler, Guest [00:13:20] Yeah, being a full-stack developer in our team, it's a role that kind of involves quite a comprehensive approach to the software because you're responsible for both the front-end and the back-end development and everything in between and around. So, there's quite a wide breadth of knowledge and experience you need to draw from, and it requires having a sort of overarching view of the project and everything that it fits into and surrounding that. So, it can be quite a lot to keep in your head. With all these different technologies evolving and changing, you have to try and start with that. And even though some people in the team might gravitate more towards certain disciplines, like maybe someone likes working with databases more, they'll do a little more work on that. While staying full stack, it's still quite important that everyone stays on the security pulse. To build secure software, you must proactively identify these vulnerabilities. As I mentioned earlier, these processes have a lot to do with staying updated with the latest evolving threats. On top of that, it's also useful to collaborate with other teams, like the quality assurance specialists and the cybersecurity situation lists in the company, because the landscape is always changing, and there's always just new knowledge to be applied. So, it's very much a prevention-better-than-cure approach that applies when trying to build software in this way. Because any little feature or component, no matter how big or small, simple or complex, you must always consider any vulnerabilities that approach, and you can’t just then lean on your existing knowledge or experience because it's so quickly changing. And so, like the vulnerability audit tools that are in our pipeline that I mentioned, you have to have a few more tricks in your kit there. On top of that, we also have frequent risk assessments where we have a kind of formal list of threats and vulnerabilities that we maintain as they pop up. And then, as a whole team, we kind of sit down and go through these too and assess what the impact of this would be, how easy this would be to happen, and what actions need to be taken, or is this something that doesn't apply to us.

Scott Williams, Host [00:15:36] As IT developers in the power protection industry, what are your observations regarding the unique challenges in this industry? For example, why is it essential for protection and IT engineers to work together in cybersecurity? Anastasiya, what have been your observations in this industry? 

Anastasiya Shvetsova, Guest [00:15:54] So in the IT and OT, there are clear similarities. Now both fields prioritize security as a top concern, and software development is the crucial aspect for both of those fields. Our work involves an alliance on numerous software components, both internal and third-party. The crucial point here is that the OT field depends on our software, so it is not just about the software itself. It is about the trust and reliance placed in it. 

Scott Williams, Host [00:16:27] Very good. Okay. Thank you. Jacques, what have you observed in this industry? 

Jaques Grobler, Guest [00:16:32] I think being an IT professional in any field demands continuous learning and quite deep domain expertise, you know whether it's military or healthcare, for example, or any other sector, staying informed about cybersecurity practices is paramount. However, in the realm of operational technology, or OT, where critical infrastructure is managed, IT developers really have to place extremely strong emphasis on cybersecurity, and they have to possess quite a keen understanding of how it would apply to that distinctive environment because possible threats and risks and the outcomes are all affecting critical infrastructure. So, it really has to be top priority. 

Scott Williams, Host [00:17:20] Very good. Anastasiya, what recommendations do you have for our listeners to understand the importance of your work? 

Anastasiya Shvetsova, Guest [00:17:27] So, as we have said before, developing software for critical infrastructure is a challenging task. It requires a lot of the main knowledge and well-developed processes within the team, and an understanding of what we are doing and why. Because a small bug can easily turn into a threat. Such vulnerabilities could be exploited by hackers, putting people with access to electricity at risk. As one classic said, with great power comes great responsibility. 

Scott Williams, Host [00:17:56] That's an interesting sentence there. With great power comes great responsibility. So, Anastasiya, how do you collaborate with other teams within OMICRON? And what do you appreciate about the product you are developing? 

Anastasiya Shvetsova, Guest [00:18:10] So everyone is approachable when sharing knowledge and working together. When I first started at the company as a quality assurance specialist, it took a while for me to understand everything I needed to contribute to the project because of the complicated software and testing environment. This is where the company's culture played a role. As my colleagues, including application engineers, developers, cybersecurity analysts, hardware specialists, they were always available to help me. And it has been a really positive experience to work in this group of professionals, people who are constantly developing and working towards the best result. When it comes to the product, I understand its overall importance. It helps people to protect other people.

Scott Williams, Host [00:18:56] Jaques, do you collaborate with other OMICRON teams? 

Jaques Grobler, Guest [00:18:59] Yeah. For me it's been a very similar experience in that regard. Even though the project I started working on was more in its beginning steps, there was still a lot of surrounding the domain knowledge to learn and grasp and, you know, wrap my head around. And for that, as Anastasiya said, it's really helpful to have such a collaborative culture, you know, standing with someone in front of a whiteboard as they throw out a concept for you based on their own knowledge and experience, understanding of the domain is a lot more helpful and a lot quicker than reading documents and handbooks on that topic. So, especially with the product that I work on, it interacts with other devices. So, collaboration is key there. And the last thing I'd add to this is that it also extends beyond just directly collaborating with other teams in terms of planning and knowledge sharing. Other teams also test our software, and we test theirs’ too. So, sometimes that can bring very interesting bugs to the surface or problems to the surface or even mitigate some sneaky little tactic that was previously missing. That definitely is a big help.

Scott Williams, Host [00:20:02] That's a good approach. So, looking ahead, what do you both envision for the future of power provider cybersecurity? Are there any emerging trends or technologies that will shape the landscape? Jaques, coming back to you, what do you envision for the future? 

Jaques Grobler, Guest [00:20:18] I definitely believe that our field is quite future-proofed in that area. The future of cybersecurity for power providers is definitely a few new trends and technologies that will shape the landscape. One , power systems are getting more and more digital with things like smart grids and IoT, or the Internet of Things. So, this means they all connected to the internet and therefore they are all vulnerable to cyber threats. And since the outcome of any such a security breach in the power provider's system can be catastrophic, I imagine more and more emphasis will be placed on that. 

Anastasiya Shvetsova, Guest [00:20:52] Yes, we also cannot close our eyes to the very fast growing and promising field of AI and machine learning. Power companies will use AI as we do on our daily basis, and machine learning to detect and respond to cybersecurity better. But at the same time, it also opens the door to new unknown threats. 

Scott Williams, Host [00:21:13] Interesting.

Jaques Grobler, Guest [00:21:13] Another one is in terms of rules and cooperation, it's going to just get more and more important to follow rules and the set regulations in the industry when working together. And it will stay essential to protect power systems from cyber-attacks because it serves as a kind of always-evolving framework that helps to ensure the security and the reliability and even the resilience of any critical infrastructure. So yeah, I guess in summary, as our providers are continuously modernizing their systems, they have to be ready for new kinds of cyber threats as they also modernizing. So, this really means that they would need to use technology such as our software and products like StationGuard and GridOps, for example. On top of, you know, further training and education in their teams and collaborating with experts and regulators. I think being able to adapt to these challenges while keeping power systems secure is key to the future of cybersecurity for power providers, and I think we will help them overcome these challenges. 

Scott Williams, Host [00:22:20] Anastasiya and Jaques, thank you both very much for joining me for this fourth episode of our Energy Talks miniseries called “Cybersecurity in the Power Industry.”

Jaques Grobler, Anastasiya Shvetsova, Guests [00:22:29] Thank you, Scott. 

Scott Williams, Host [00:22:31] Thank you both very much! 

And a big thank you to our audience for listening to this episode of Energy Talks. We always welcome your questions and feedback. Simply send us an email to podcast@omicronenergy.com.

Please join us to listen to the next episode of Energy Talks. Goodbye, for now, everyone.